Increasingly, mobile devices are incorporating security protections and techniques into the operating system. In many types of device, applications are “sandboxed” and cannot be attacked by other apps on the device. This also means that each application in its own sandbox typically performs the authentication and authorization process. Applications typically cannot share sessions or tokens which can allow one application to authenticate and other applications to leverage the same session/token to get single sign-on, for example.
Security Assertion Markup Language (SAML) is an XML standard that allows user authentication and authorization data to be exchanged. Using SAML, an online service provider (SP) can contact a separate online identity provider (IDP) to authenticate users who are trying to access secure content. In mobile devices, for example, SAML or other standards and/or protocols may be used to authenticate mobile app users to associated online services. However, some apps may not support certain protocols/standards and/or may not support certain techniques, such as redirection to a separate IDP.
In cases where redirection is not supported, SAML provides a mechanism where the client application authenticates with the SP using standard Basic authentication. The SP will then contact the IdP to get an assertion by passing the credentials provided by the user to the IdP. Using Basic authentication in this manner may not be desired, for example in order to prevent a user's Enterprise credentials (such as Enterprise username and password) from being exposed on the mobile device and/or to a cloud-based service provider (SP).